Sophos Docker



-->Sophos

Log collectors enable you to easily automate log upload from your network. The log collector runs on your network and receives logs over Syslog or FTP. Each log is automatically processed, compressed, and transmitted to the portal. FTP logs are uploaded to Microsoft Cloud App Security after the file finished the FTP transfer to the Log Collector. For Syslog, the Log Collector writes the received logs to the disk. Then the collector uploads the file to Cloud App Security when the file size is larger than 40 KB.

Docker

After a log is uploaded to Cloud App Security, it's moved to a backup directory. The backup directory stores the last 20 logs. When new logs arrive, the old ones are deleted. Whenever the log collector disk space is full, the log collector drops new logs until it has more free disk space. You'll receive a warning on the Log collectors tab of the Upload logs automatically settings when this happens.

Before setting up automatic log file collection, verify your log matches the expected log type. You want to make sure Cloud App Security can parse your specific file. For more information, see Using traffic logs for Cloud Discovery.

Note

  • Cloud App Security provides support for forwarding logs from your SIEM server to the Log Collector assuming the logs are being forwarded in their original format. However, it is highly recommended that you integrate the log collector directly with your firewall and/or proxy.
  • The log collector compresses data before it is uploaded. The outbound traffic on the log collector will be 10% of the size of the traffic logs it receives.
  • If the log collector encounters issues, you will receive an alert after data wasn't received for 48 hours.

Container: Runs as a Docker image on Windows, Ubuntu on premises, Ubuntu in Azure, RHEL on premises or CentOS. Virtual appliance: Runs as an image over Hyper-V or VMware hypervisor (deprecated) Next steps. Self-hosted VirusTotal / MetaDefender wannabe with API, demo UI and Scanners running in Docker. mindcollapse/MalwareMultiScan. RESTful API wrapper for Sohpos Antivirus for Linux Free on top of maxipowa/sophos-av. Install docker pull clifflu/guanyu Starting Guanyu docker run -d -p 3000:3000 clifflu/guanyu. Sophos Antivirus for Linux has been enhanced to improve detection of malware in Docker containers using on-access scanning and to improve the way in which detections in Docker containers are presented within the Sophos management consoles.

Deployment modes

The Log Collector supports two deployment modes:

  • Container: Runs as a Docker image on Windows, Ubuntu on premises, Ubuntu in Azure, RHEL on premises or CentOS.

  • Virtual appliance: Runs as an image over Hyper-V or VMware hypervisor (deprecated)

Next steps

This article details the addition of support for Docker containers within Sophos Antivirus for Linux.

The following sections are covered:

Sophos docker free

Applies to the following Sophos products and versions
Sophos Anti-Virus for Linux

As containers are becoming more widely deployed on Linux Servers, the need for security is paramount to ensure any running containers have not been injected with malware.

Sophos Antivirus for Linux has been enhanced to improve detection of malware in Docker containers using on-access scanning and to improve the way in which detections in Docker containers are presented within the Sophos management consoles. Now, when a threat is identified within a Docker container, the threat report will state the path and hostname of the container. This will be displayed as (container hostname=<hostname>).

Threat detection within Docker containers has been available since the following versions of Sophos Antivirus for Linux:

  • SAV for Linux version 9.13.0+
  • SAV for Linux version 10.1.1+ (Sophos Central only)
Sophos Docker

For Sophos Antivirus for Linux to detect threats in Docker containers, the Talpa on-access driver must be used. The FAnotify kernel interface does not support scanning inside containers.

A recent, supported version of Docker will need to be installed and configured, preferably from the operating system vendor’s package repositories.

The Sophos Antivirus for Linux Docker scanning functionality is available on Supported releases of the following platforms:

Sophos

Red Hat, Ubuntu, CentOS, SUSE

For more information on Sophos Anti-virus for Linux see: supported platforms and operating systems

From the Docker web site, the following anti-virus consideration is recommended:

When antivirus software scans files used by Docker, these files may be locked in a way that causes Docker commands to hang.

One way to reduce these problems is to add the Docker data directory (/var/lib/docker on Linux or $Env:ProgramData on Windows Server) to the antivirus’s exclusion list. However, this comes with the trade-off that viruses or malware in Docker images, writable layers of containers, or volumes are not detected. If you do choose to exclude Docker’s data directory from background virus scanning, you may want to schedule a recurring task that stops Docker, scans the data directory, and restarts Docker.

Sophos Av Docker

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Sophos Docker Container

Related: